✅D31eg4t3

Idea

The challenge contract does delegatecall on address(msg.sender), which is user-controlled:

    function hackMe(bytes calldata bites) public returns(bool, bytes memory) {
        (bool r, bytes memory msge) = address(msg.sender).delegatecall(bites);
        return (r, msge);
    }

The other function uses the onlyOwner modifier:

    function hacked() public onlyOwner{
        canYouHackMe[msg.sender] = true;
    }

However, there is no way to bypass this thing:

    modifier onlyOwner {
        require(false, "Not a Owner");
        _;
    }

But we can modify storage slots directly via the delegatecall. Recall that delegatecall is like calling a library function, the state changes are made in the caller's context instead of callee's.

PoC

QuillCTF-PoC/D31eg4t3/test/D31eg4t3.t.sol at main · ret2basic/QuillCTF-PoCGitHub

D31eg4t3 - PoC